问题描述:

Suppose that our web-hosting is linux and php is installed:

1- What could be the worst that happens when a php code can be uploaded instead of an image.

2- Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.

3- What if when the image directory has 644 permission?

The answer to my question can be combined with the ones given to these two: Security: How to validate image file uploads? and Security issues in accepting image uploads

网友答案:

What could be the worst that happens when a php code can be uploaded instead of an image.

Worst case: Intruder can execute arbitrary PHP code, maybe even arbitrary code on the server. If the attacker is clever enough while the sysadmins aren't, he might even own the whole server/subnet/network/...

Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.

If the attacker can execute PHP code (which of course depends on your security measures), he can definitely read files from the current user, so the answer is most probably yes.

What if when the image directory has 644 permission?

Unless you use PHP in CGI mode, the execute bit shouldn't be necessary for the webserver to execute a script, so that alone doesn't help.


Of course those are not the questions you should ask. The question you should ask is how to prevent an attacker from uploading an executable PHP file in the first place. My answer to that is that you should check the file extension against a white list and drop everything else, for example:

$pattern = "/\.(jpe?g|gif|png)$/iD";
if (!preg_match($pattern, $filename))
    die("Please don't.");
网友答案:

You should make sure you don't allow parsing of php files in your image directory, since I'm assuming it's going to be open to the public.

You could do this in the /images/.htaccess file with

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3

That way if they try to go to domain.com/images/hackdatabase.php it'll just return their code and not the file.

But you should check to make sure its' an image in the first place.

相关阅读:
Top